CVE-2026-9082: Critical SQL Injection in Drupal Core Confirmed in the Wild

CVE-2026-9082

Critical SQL Injection in Drupal Core Confirmed in the Wild

On May 20, 2026, the Drupal security team released SA-CORE-2026-004, disclosing a highly critical SQL injection vulnerability in Drupal core (CVE-2026-9082). The vulnerability resides in the PostgreSQL EntityQuery condition handler within Drupal's database abstraction layer and allows unauthenticated, remote attackers to inject arbitrary SQL statements against PostgreSQL-backed Drupal installations.

The Drupal security team rated this vulnerability 20 out of 25 on its internal risk scale — the highest possible severity tier. CISA subsequently added CVE-2026-9082 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation.

EXECUTIVE SUMMARY

CVE-2026-9082 is a highly critical SQL injection in Drupal core, rated 20/25 by the Drupal security team — the maximum severity on their scale. The vulnerability affects PostgreSQL-backed Drupal sites exclusively, and was confirmed actively exploited within hours of disclosure. CISA added the vulnerability to its KEV catalog post-disclosure, confirming real-world attack activity.

The root cause lies in Drupal's PostgreSQL EntityQuery condition handler, where user-controlled PHP array keys can reach SQL placeholder construction unsanitized. An attacker can supply crafted array keys that bypass Drupal's normal input validation, injecting raw SQL into the query construction pipeline. Drupal's fix applies array_values() to strip attacker-supplied keys.

VULNERABILITY DETAILS

• CVE ID: CVE-2026-9082

• CWE: CWE-89 — Improper Neutralization of Special Elements used in an SQL Command

• CVSS v3.1: 6.5 (Medium) — Note: CVSS does not capture the operational severity of in-the-wild exploitation

• Drupal Risk Rating: 20/25 — Highly Critical

• Attack Vector: Network, Unauthenticated

• Affected Component: Drupal core — PostgreSQL EntityQuery condition handler

• Disclosure Date: May 20, 2026 (SA-CORE-2026-004)

• Pre-release Warning: May 18, 2026 (PSA-2026-05-18)

• Scope: PostgreSQL only — MySQL, MariaDB, and SQLite sites are not affected

AFFECTED VERSIONS

• Drupal 11.3.0 – 11.3.9 → Fixed in 11.3.10

• Drupal 11.2.0 – 11.2.11 → Fixed in 11.2.12

• Drupal 11.0.0 – 11.1.9 → Fixed in 11.1.10 (EOL, exceptional release)

• Drupal 10.6.0 – 10.6.8 → Fixed in 10.6.9

• Drupal 10.5.0 – 10.5.9 → Fixed in 10.5.10

• Drupal 10.4.0 – 10.4.9 → Fixed in 10.4.10 (EOL, exceptional release)

• Drupal 8.9.20 and 9.5.11 received EOL hotfix files

• Drupal 7 is not affected

EXPLOITATION STATUS

CISA has confirmed exploitation in the wild and added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog.

The vulnerability timeline moved rapidly:

• May 18: Drupal issued PSA-2026-05-18, warning of a highly critical release and noting exploitation could occur within hours or days.

• May 20: Security advisory SA-CORE-2026-004 published with patch.

• May 20 (same day): A detection PoC and reproduction lab was published publicly.

• May 20–21: The patch diff was shared on social media within hours of disclosure.

• Post-disclosure: CISA confirmed exploitation and added the vulnerability to KEV.

The minimal complexity of the fix diff, combined with AI-powered code analysis tools, significantly compresses the timeline between patch release and weaponization.

IMPACT ASSESSMENT

An attacker exploiting CVE-2026-9082 can achieve:

• Information Disclosure — Access to all non-public data in the Drupal database, including user credentials, private content, and configuration data.

• Data Manipulation / Destruction — Modification or deletion of all data in the affected database.

• Privilege Escalation — Potential elevation to administrative privileges within Drupal.

• Remote Code Execution — In configurations where SQL injection allows file write operations or function call injection, RCE may be possible.

Drupal's own assessment states confidentiality impact includes "all non-public data accessible" and integrity impact includes "all data modifiable or deletable."

MITIGATION

Immediate Actions:

• Upgrade immediately to the fixed version corresponding to your Drupal release branch.

• If you cannot upgrade, apply the hotfix files for EOL branches or use Drupal Steward, which is protected against known attack vectors.

• Block or monitor for the attack pattern described in the PoC.

Additional Recommendations:

• Even sites not running PostgreSQL should update, as the release includes coordinated upstream security updates for Symfony and Twig.

• Deploy Web Application Firewall (WAF) rules targeting SQL injection patterns against Drupal endpoints.

• Monitor for suspicious database query patterns in PostgreSQL logs.

REFERENCES

• Drupal Security Advisory: SA-CORE-2026-004 — https://www.drupal.org/sa-core-2026-004

• Drupal Pre-release Announcement: PSA-2026-05-18 — https://www.drupal.org/psa-2026-05-18

• NVD Entry: CVE-2026-9082 — https://nvd.nist.gov/vuln/detail/CVE-2026-9082

• Tenable Analysis — https://www.tenable.com/blog/cve-2026-9082-highly-critical-sql-injection-vulnerability-in-drupal-core-sa-core-2026-004

• Proof of Concept: dinosn/drupal-sa-core-2026-004-lab — https://github.com/dinosn/drupal-sa-core-2026-004-lab

• CISA KEV Catalog — https://www.cisa.gov/known-exploited-vulnerabilities-catalog

• CWE Entry: CWE-89 — https://cwe.mitre.org/data/definitions/89.html

ABOUT 0DAYINC.COM

0dayinc.com provides independent research, threat intelligence, and vulnerability analysis. Our mission is to provide clear, technically accurate assessments of emerging threats to help security professionals prioritize their efforts.

*Disclaimer: The information contained herein is for informational purposes only. This content should be used to improve security posture and defensive capabilities. The authors and 0dayinc.com assume no liability for misuse of this information.*